Recently a new information-stealing Android malware was found being distributed as an attachment in emails as part of a targeted attack against Uyghur, Mongolian, Tibetan, and Chinese activists. The social-engineering attack was carried out through email consisting of an invitation to the “World Uyghur Congress” (WUC) and an attachment pretending to be a letter on behalf of WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples. In reality the file was the Android application “WUC’s Conference.” After downloading, the application asks for the following suspicious permissions:

Once the permissions were accepted and the application was installed on the device, the malware shows the following text related to the fake conference in Geneva:

At the same time, a service starts in the background without the user’s consent:

The service registers the infected device at the malware’s control server to start collecting the following sensitive information:

The malware also registers a receiver in the system that permanently checks incoming SMS messages for one of the following commands: SMS, contact, location, or other (call records) in order to resend the requested information. Another variant with the same payload was found stored on the control server with the name “Document.apk,” but this time the malware shows text in Chinese that talks about disputed islands between China and Japan:

McAfee Mobile Security detects both variants of this threat as Android/Chuli.A and alerts mobile users if it is present on their devices, while protecting them from any data loss. Click here for more information about McAfee Mobile Security.